djm@openbsd.org [Thu, 21 May 2026 04:04:57 +0000 (04:04 +0000)]
upstream: mention that compression could potentially leak
information about session contents (cf. the CRIME attack on TLS) if a
connection allows attacker- controlled traffic over it alongside trused
traffic. This might occur in some forwarding scenarios.
Instead of freeing struct dns_query and struct dns_rr by walking the
linked lists recursively, use a simple loop. This avoids a possible
stack exhaustion unlikely to be reachable with the limits modern
resolvers impose.
Darren Tucker [Mon, 4 May 2026 11:40:52 +0000 (21:40 +1000)]
Improve Solaris PAM tests.
- Set up and run tests with SUDO.
- Set random password to use for password & kbdint auth tests.
- Only run t-exec when re-testing with PAM, don't rerun unit tests.
- When testing PAM builds, test with and without UsePAM.
Renaud Allard [Sat, 21 Mar 2026 18:23:04 +0000 (19:23 +0100)]
vm.yml: fix solaris PAM tests
Add missing SSHD_CONFOPTS="UsePam yes" to the solaris PAM test
step so it actually tests PAM functionality instead of re-running
the default tests with a PAM-enabled binary.
upstream: Drop -Winline from CDIAGFLAGS it breaks on sparc64
On sparc64 ssh/unittests/kex fails to build with:
usr.bin/ssh/libcrux_mlkem768_sha3.h:8196: warning: inlining failed
in call to 'libcrux_ml_kem_polynomial_ZERO_89_ea':
--param max-inline-insns-single limit reached
Darren Tucker [Mon, 27 Apr 2026 10:51:17 +0000 (20:51 +1000)]
Re-enable SHA1 sigs in OpenSSL on Cygwin for tests.
Recently Cygwin imported changes from Fedora which disable SHA1
signatures by default. This breaks the unit tests (and a couple of
regression tests), so set rh-allow-sha1-signatures=yes in the OpenSSL
config to re-enable them.
Darren Tucker [Sat, 25 Apr 2026 10:00:38 +0000 (20:00 +1000)]
Check for OPENSSL_NO_ENGINE for --with-ssl-engine.
OpenSSL 4 removes support for ENGINE, but it provides no-op stubs
for the ENGINE functions in addition to setting OPENSSL_NO_ENGINE.
The presence of the stubs fooled the old configure test, so if someone
tried --with-ssl-engine with OpenSSL 4.0.0 it'd try but fail at build
time. Explicitly check for OPENSSL_NO_ENGINE. before trying to enable
ENGINE support. bz#3952.
upstream: move username validity check for usernames specified on
the commandline to earlier in main(), specifically before some contexts where
a username with shell characters might be expanded by a %u directive in
ssh_config.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We continue to recommend against using untrusted input on
the SSH commandline. Mitigations like this are not 100%
guarantees of safety because we can't control every
combination of user shell and configuration where they are
used.
upstream: Fix possible sshd crash when sshd_config set MaxStartups
to a value <10 using the single-argument form of MaxStartups (e.g.
MaxStartups=3). This doesn't affect the three-argument form of the directive
(e.g. MaxStartups 3:20:5).
Damien Miller [Thu, 2 Apr 2026 07:32:00 +0000 (18:32 +1100)]
properly bail out when PAM changes username
OpenSSH doesn't support PAM changing its conception of the
username via a module calling pam_set_item(h, PAM_USER, ...).
We were supposed to bail out here, but I messed up while "fixing"
this last time and dropped a return statement.
This will MODIFY THE CONFIG OF THE SYSTEM IT IS RUNNING ON to enable
hostbased authentication to/from itself and run the hostbased tests. It
won't undo these changes, so don't do this on a system where this matters.
djm@openbsd.org [Mon, 30 Mar 2026 07:18:24 +0000 (07:18 +0000)]
upstream: apply the same validity rules to usernames and hostnames
set for ProxyJump/-J on the commandline as we do for destination user/host
names.
Specifically, they are no longer allowed to contain most characters
that have special meaning for common shells. Special characters are
still allowed in ProxyJump commands that are specified in the config
files.
This _reduces_ the chance that shell characters from a hostile -J
option from ending up in a shell execution context.
Don't pass untrusted stuff to the ssh commandline, it's not intended
to be a security boundary. We try to make it safe where we can, but
we can't make guarantees, because we can't know the parsing rules
and special characters for all the shells in the world, nor can we
know what the user does with this data in their ssh_config wrt
percent expansion, LocalCommand, match exec, etc.
While I'm in there, make ProxyJump and ProxyCommand first-match-wins
between each other.
Damien Miller [Sun, 29 Mar 2026 05:24:59 +0000 (16:24 +1100)]
fix state confusion between PAM and privsep code
Commits b9a6dd4d6 and df2b28163 introduced a potential desynchronisation
between the PAM code and the sshd-session monitor that could result in
authentication bypass if the unprivileged sshd-auth process had been
compromised.
Reported by Ben Edelman of NIST. Only git HEAD is affected, these
changes have not yet been included in an OpenSSH release.
Icenowy Zheng [Sun, 22 Mar 2026 07:13:31 +0000 (15:13 +0800)]
seccomp sandbox: allow riscv_hwprobe syscall if present
The development branch of zlib-ng now contains code for utilizing
riscv_hwprobe syscall to retrieve availability information for several
RISC-V extensions (and accelerate deflate algorithm with them).
As the seccomp sandbox of OpenSSH will raise SIGSYS for filtered out
syscalls, this will abruptly terminate the process when the
riscv_hwprobe syscall is tried.
Put it into the allowlist to prevent process termination. As all
syscalls here are guarded by #ifdef's, the same will be done for
riscv_hwprobe, and thus on non-RISC-V builds nothing will happen.
upstream: Check return values of fcntl(... O_CLOEXEC)
calls by reusing the macro in monitor.c. Flagged by Coverity CID
901297 in ssh-sk-client.c, a few other instances added for good measure.
begrudging ok deraadt@
upstream: With it's own daemonization / fd cleaning code, ssh-agent
opens /dev/null O_RDWR after a pledge without "wpath". This is allowed in
current pledge because "/dev/null" is implicitly allowed to be opened even
with the most restrictive pledges or unveils. This is a design decision in
pledge made at the very beginning, to satisfy libc requirements. We've
finally had enough experience and know how to fix that in the near-future,
but need to review and fix all code which opens these implicit paths. The fix
is to add "wpath", so that "/dev/null" can be opened O_RDWR. But that is
uncomfortable, so we add unveil() allowing "/" with "r", 4 unveil "x" for the
potential askpass and helpers to be execve'd, and "/dev/null" with "wr". As
a result filesystem access is substantially more restricted than before, and
ssh-agent is ready for the future pledge change. ok djm dtucker
upstream: Stop doing access() before execve(). It is a TOCTOU, but
also it forces use of unveil "rx" instead of "x". This is done by using a
pipe() through the fork+execve attempt to expose execve failure and create
the same error return as the access() used to do. ok djm dtucker
djm@openbsd.org [Thu, 5 Mar 2026 05:40:35 +0000 (05:40 +0000)]
upstream: With IANA codepoints for draft-ietf-sshm-ssh-agent now
allocated, it's safe to start using the standard names for requesting agent
forwarding over the @openssh.com extension names we've used to date.
Support for the standard names is advertised via EXT_INFO. When the
client sees such support it will use the new names preferentially,
but the existing names remain supported unconditionally.
extension requests should indicate failure using
SSH_AGENT_EXTENSION_FAILURE rather than the generic SSH_AGENT_FAILURE
error code. This allows the client to discern between "the request
failed" and "the agent doesn't support this extension".
djm@openbsd.org [Mon, 2 Mar 2026 02:40:15 +0000 (02:40 +0000)]
upstream: Move banner exchange to sshd-auth process
Previously, exchange of the initial SSH- banners was performed
by the privileged sshd-session monitor. This moves it to the
unprivileged sshd-auth subprocess, removing ~200 LoC from the
monitor's privileged attack surface.
The monitor gains a new "setcompat" RPC to allow sshd-auth to
inform it of bug compat flags picked up from the client's banner.
Darren Tucker [Sat, 28 Feb 2026 22:46:39 +0000 (09:46 +1100)]
Try -lstdc++ for libcrypto before giving up.
BoringSSL recently added destructors to libcrypto, which requires
linking against libstdc++, so when checking for a working libcrypto if
at first the link fails, try again with -lstdc++ before giving up.
projects / thirdparty / openssh-portable.git / log
